Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover


A vulnerability found in the Really Simple Security plug-in allows an attacker to remotely gain access to any account on an affected website, including the administrator, when 2FA is enabled.



A
WordPress plug-in
installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.
Researchers from Wordfence called the authentication bypass flaw one of the more serious vulnerabilities that they have ever identified,
uncovering it
earlier this month in
a plug-in
from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.
The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled, Wordfence security researcher Istvan Marton wrote in the post.
The flaw exists due to improper user check error handling in the two-factor REST API actions with the check_login_and_get_user function, according to Wordfence. Moreover, because the flaw is scriptable, it
can be weaponized
against numerous WordPress sites simultaneously in an automated way.
Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfences advice, Really Simple Security force-updated all sites running the plug-in two days later.
Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as it appears that sites without a valid license may not have auto-updates functioning, Marton noted in the post.
The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.
During this revamp, one of the features adding 2FA was insecurely implemented to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.
Specifically, the plug-in uses the skip_onboarding() function in the Rsssl_Two_Factor_On_Board_Api class to handle authentication via REST API that returns a WP_REST_Response error in case of a failure. However, this is not handled within the function, which means that even in the case of an invalid nonce, the function processing continues and invokes authenticate_and_redirect(), Marton wrote. This authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified.
Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.
As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it, Marton explained.
Due to its widespread use as a foundation for millions of websites, the
WordPress platform
and its plug-ins especially are a notoriously
popular threat target
for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit
singular plug-ins
with large install bases, making flaws like the one found in Really Simple Securitys plug-in an attractive target.
Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.
If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk, Marton wrote in the post.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover